 Welcome back to this episode of Security Matters Hawaii. We're live in the Think Tech Hawaii studios today and we've got Matthew Rosenquist joining us today. Cyber security strategist, industry evangelist, Matthew's got a lot of titles and I'm really happy to have you joining us today, Matthew. Welcome. Thank you. It's my pleasure to be here. Awesome. I really appreciate it. So what we thought we'd do, since this is our last show of the year, is take a look back at what technologies have sort of permeated the physical security industry and had the most impact maybe in the past year or so. And to me, the sort of the first one that came out was this issue of facial recognition. It kind of bleeds into privacy too, but facial recognition, we really didn't get in front of the privacy discussion there as an industry and now we're seeing it outlawed and things like that where we felt it had a lot of potential for law enforcement and things like that. So what do you think about that one? Yeah, that was kind of a big miss really in the physical security industry, the cyber security industry, having to deal with data breaches and whatnot was very sensitive even coming into this year. And we're seeing even more regulations. California is leading a pack of states that are enacting even stronger privacy regulations very similar to what Europe's doing. So privacy is important. However, there also are tremendous benefits on the physical security side for facial recognition. You had mentioned for law enforcement. Absolutely. And we're seeing other nations around the world using facial recognition and tying into different even private systems to help with either deterring crime or tracking criminals down after the fact. But there's also use cases in retail, for example, you can track people, what they're doing, what they're looking at, be able to give them a better experience, right? Be able to find that customer who's looking for a sales associate and get to them faster or figure out what products are going to best suit them. So there are some benefits, however, we can't ignore the privacy concerns, especially if that data is being tracked and we're starting to tie more and more information into whatever data that we're capturing. Yeah, that leads me right to, so I pulled up the security industry association recently published the top mega trends for the industry. And number one on that list was the cybersecurity impact on physical security. And I know that you recently just penned a document looking at seven of those top areas that are particularly, you know, have two sides of that coin, you know, benefits and then risks, of course, with any technology. Let's pull that graphic up real quick and see if we can take a look at the ethics and accountability piece. And this one's really about AI, your first one. In that facial recognition piece, you know, that using of that image of someone or whatever, you know, I think law enforcement is fairly clear in the United States. The rest of the world may be not so clear as to how and when they could use those images or what they could do with them. And then of course, if you start processing those images with the power of AI. So Matthew, did you see a lot of that starting to happen? Or is it still a thing where, you know, machine learning, we're talking about it, but not necessarily using it or not using it appropriately everywhere? Oh, no, it's going lightning fast. It absolutely is. China is probably the leader in this. So they're employing 700 million cameras across the nation. And the stated, I mean, they're very clear about this. They want to be able to identify people on the street when they're going from here to there. They want to be able to track people and protect them, right? It's also under that umbrella. They're doing it for certain reasons, but being able to track a billion plus people anywhere they go in their major cities is really what they want to do. And you're talking, you know, one camera for every couple of people in China, and that number is actually going up. So a lot more cameras are being deployed. They're using facial recognition at scale. They're developing the systems to be able to handle it at scale and improve the accuracy. And again, there's great, great benefits, but also, you know, from our perspective in the US and in Europe, that type of tracking constantly can seem a little pervasive and kind of infringed upon, you know, our liberties. For them in China, it isn't that, you know, the case. Yeah. And that maybe leads us to that next piece that you mentioned here, with the insecurity of autonomous stuff, right? So if we've got powerful enough machinery to follow us around and perhaps, you know, perhaps invade our privacy or perhaps make mistakes about who we are, or perhaps decide that we're not allowed in some place, all on its own, that is a bigger power issue that maybe we're going to have to deal with in the future. Maybe it's not happening yet today. I'm not sure how much of the machine learning tools they're giving people scores, for example, in China already and allowing them to do things or not do things. Like, we have a no fly list in this country, right? Maybe there's, you know, they're not allowing people to leave the country for certain reasons, maybe, I don't know. Yeah, actually they do. They've got a whole social network. It's actually tied almost to gamification, if you will. Wow. Unlike the United States, where we've got like a loan rating or FICO scores. In China, they don't have that. It's actually your social rating. Wow. And how good of a citizen you are. Ah. So they track, the government tracks, you know, how much time that you spent doing volunteer work, or whether you've donated this week, or what kind of groceries you're buying. Is it healthy? You know, are you paying your taxes? Are you going to the right political parties? Are you connected with the right type of fellow citizens that's also supportive of government and helpful to their community? And if not, your score goes down. If you connect or friend with somebody that maybe has radical views, your score goes down. This could impact whether you get a visa to travel. This could impact whether you could even book a first-class seat on something. And so there's a lot more ramifications. Now, tie this in to all the cameras and then tracking where you're going, right? Did you go to a rally that perhaps was not pro-government? Did you go somewhere that was maybe a volunteer effort? Maybe your score goes up. So there's a lot more with technology that they can use to grade and encourage certain behaviors and discourage others for their populace. Interesting. Yeah. I was just reading somewhere that they, it's been in recent years, but they surpassed us. I think China had 200 of the world supercomputers and we're down to like 150 or something like that. I was kind of surprised to know that we were no longer the supercomputer power of the world. About 10 years ago, they started pouring billions of dollars into their national technology, specifically around computing supercomputers and even chip manufacturing production design. There are several large cities and regions that are powerhouses in these spaces and have been actively acquiring information so that they can be competitive on a world market. Yeah, you talked a little bit in your article about the data lakes and it's interesting how from a U.S. perspective, I'm thinking this stuff is more in the future or things we have to consider for our future, whereas other countries from a technological spectrum are already doing these things and already implementing them. So maybe we'll be learning lessons from them, whereas I think everyone's always tried to borrow lessons from us in the past. Yeah, I think we're a little bit behind, especially in the privacy space and quite in the transparency space because the data that we're talking about actually is already being gathered to a great extent. And it's the laws and the regulations that are coming in. And now the data breaches as well that are highlighting that fact. We look at Cambridge Analytica and they were actively promoting the fact that they had between four and 5,000 pieces of data for every American and that they could take a segment and use that data to figure out how to change someone's opinions, you know, whether it be on vermin or a product or a person, things of that sort. And four to 5,000, that really isn't that much. If you look at your browser or your social media, they're tracking a lot more than that just alone. And what we're having with these data lakes is the aggregation across all these platforms to be able to track millions of data points for people, everything from your health to your purchases to where you go to who you talk to, everything. Yeah, I've often said that, you know, we're not, you know, as an industry, the physical security industry, electronic security is not, we're not really big brother, but we're sort of big brother's little helper. And that a lot of these devices that we put out there are capable of collecting this information, you know, be it video that things are gleaned from or where you go, you know, access control your behaviors in the, with the turning on and turning off of systems, maybe your alarm, your alarm system at home probably is a good measure of how often you are there and not there, things like that. You talked a little bit about the use of connected devices, and that the information that can be, I guess, arranged from knowing things from multiple systems, and then we've gotten more and more power for doing that. Do you think the security industry needs to get to get a better voice in trying to help consumers or businesses, even in government, to understand what capabilities we could lend in a positive way? Or are we still, are we going to wait for regulation to tell us what to do? I guess it's kind of the other side of that coin. Well, unfortunately, regulation, especially when it comes to cybersecurity, where a lot of this is being driven from, is doesn't keep pace. It simply doesn't keep pace with the rate of innovation. And so if we wait for regulation, we're going to be in a situation where it starts to constrict technology, and that reduces the benefits that we can all gain from it. So, and unfortunately, right, privacy, we're kind of in that space now. We didn't look ahead. We didn't proactively put controls in place. So now the technology industry is reeling from that. And there's, we're taking a few steps backwards. But that is not the way we want to do it. For any area, whether it be physical or cyber, we need to be able to look at the potential issues that the industry is not addressing, that don't align with the expectations either current or future of the populace of society, and head ahead, right? We want to be able to build those best practices. We want to be able to have industry standards that aligns with where people are mentally and emotionally. Because if not, then you get anger, you get fear. And when that happens, people go to their government and say, Hey, force companies to do something. And we don't want that. I think, you know, we as the security industry, I think always, I was always a trusted industry, or at least I hope we were a trusted industry. I feel like we were. And not being out in front of cybersecurity with our devices that we deployed, and then not being in front of the privacy discussion. Do you think the erosion of trust is something that our industry was impacted by in the past year or so? I think it was. But again, I think if we look at those overlapping circles between physical security and cybersecurity, I think physical security still has a lot more trust than the cyber side. And it may have to do with the amount of information and data that's currently being captured on the physical security side, which is much less than on the cyber side, you know, your IT or infrastructure, all the devices you have and everything else. So physical security is in a much better position from regaining some of that trust. I think there was some trust lost when you walk into a store and there's cameras there and they're tracking you and you feel kind of weird and you're wondering, are they taking pictures of your kids? What are they going to do with that? Because people are now more aware, right? What are they doing with that data? Are they sharing it? Are they storing it? Are they tracking me? And now we've got, you know, web browser settings where I can remove some of that. And I can go into a company online and send them an email to say, hey, you know, remove that data. Can we do that on the physical side? We haven't really reached these kinds of questions. Sure. Nor do we know what data is being captured. So that becomes a problem moving into next year and the year after. Because all the cybersecurity requirements that we're seeing, like the California Privacy Act that's coming up, that's going to be enacted here in the next year, companies have to tell customers, you know, what data we have and give them the option to have it removed to not sell it. Will that bleed over to the brick and mortar environment with physical security? Yeah, it's interesting. You know, I know that part of GDPR, I believe, you have to have the ability in your surveillance system to be able to remove someone's surveilled video at their request. And I don't know in the US if we're going to have policies like that. We have the tools to do that, but I can't imagine the infrastructure that if you had people walking around a facility all day, visitors, guests, whatever it may be, and they want to be removed, how much time that may take to do that. It's going to be an interesting, an interesting, I guess, thing to watch as this, as the legislation and the laws develop around this, how it gets handled in the US versus what they've done in Europe. Yeah, and we don't want the pendulum to swing too far back, right? We want to find that optimal level. And if fear is running rampant, then the legislators are going to feel that and they're going to drive very hard pressing kind of regulation that will limit innovation. And we don't want that, right? We want innovation. We want our tools. We want all the benefits, but we do have to be cognizant that there comes, you know, it comes with risks and then proactively address those. So we want to maximize the risks. There you go. With that, I tell you what, let's take a short break and pay some bills, and we'll be right back in just a minute with Matt Rosenquist. Hello, I'm Dave Stevens, host of the Cyber Underground. This is where we discuss everything that relates to computers that's just kind of scare you out of your mind. So come join us every week here on thinktechhawaii.com 1pm on Friday afternoons, and then you can go see all our episodes on YouTube. Just look up the Cyber Underground on YouTube. All our shows will show up and please follow us. We're always giving you current relevant information to protect you. Keepin' you safe. Aloha. Aloha. I'm Wendy Lowe, and I'm coming to you every other Tuesday at 2 o'clock live from thinktechhawaii. And on our show, we talk about taking your health back. And what does that mean? It means mind, body, and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about, whether it's spiritual health, mental health, fascia health, beautiful smile health, whatever it means. Let's take healthy back. Aloha. Welcome back to Security Matters Hawaii. We're chatting with Matthew Rosenquist, cybersecurity evangelist, cybersecurity strategist. Matthew, we were talking about these devices. We were talking about privacy. We're talking about some of the trends that impacted the US and are going to be impacting the US. There's another one that you brought up in this paper recently about these next billion cyber criminals, the folks that are coming online. I was wondering, it scares me a little bit that there's maybe six billion users and a billion of them or maybe criminals, right? The odds aren't too good for a guy like me at that level. How many do you think came on last year? I just don't sort of have these numbers at top of mind, but surely hundreds of thousands of new users came on and perhaps joined these criminal ranks that are making some money. They're improving their quality of life, and they maybe don't have the same ethics we do. Yeah. Right now, we've got about 4.4 billion people that's connected on the internet. In the next couple of years, we're affecting another billion and then another billion, obviously, to follow that. Within the next couple of years, we're going to see a lot more people. We're at a point of convergence here. Most of the well-developed countries out there, most of the people are actually on the internet. Where we're going to see this growth, the next billion people are going to be in developing countries. Now, you and I, I mean, we live a privileged life. Let's be honest. Half of the planet, actually more than half of the planet, make less than $20 a day. So it's hand to mouth. So they're looking to put food on the table and it's a struggle. It's the hustle. You got to hustle every day to survive. And so when we look at this next billion people that come online, it isn't for entertainment. It isn't just to be able to communicate. It is an opportunity for them to make a better life for themselves. Many of these people are locked into a local geography. So you're limited to the number of jobs and you're competing with everybody else. When you're now on the internet, you can reach out and you have opportunities around the globe. So this is where you get cyber criminals thinking, I've got a whole new population to help me do my dirty deeds. And you've got things like ransomware as a service. You've got terrible, like robo calling and all sorts of other types of fraud out there. Spam and fishing, all these activities don't necessarily take a high degree of technical savvy. But it does take a lot of work. And when you've got this entire new community joining the internet that are hungry, potentially literally hungry, they're willing to take those risks. And so we're seeing the cyber criminals create packages, ransomware packages that take zero expertise. And they will run the entire backend infrastructure. All they need is somebody that can hustle, join social media clubs, groups, befriend people to send them links to get them to download something, to get them to open a file. And then they will get a cut. And that cut, which may only be a few percentage points, may quadruple what they're making every day. It could be life changing. This is what we're facing. And this is what I'm concerned with moving to the next billion because those people, just because they come from a disadvantaged economy does not mean they're not very smart and imaginative. That's true. And those are the criminals they have to worry about, because they will find a way. They are persistent, they are motivated, they are creative. That's what we're going to be facing. Scary for the rest of us. Do you think that the electronic security world will be, you know, when we talk about like smart cities and the deployment and being able to track people, you know, when we can figure out that these guys are never left the house, for example, but they're depositing money in their bank account, you know, maybe the physical piece will be able to help us identify some of this behavior that's, you know, questionable. Maybe, right. I mean, we're going to have to find the I'm more worried about the physical side being victimized. If I want to use to hire an army for a few dollars a day to come in and do a denial of service against a physical site, their security, their communication. If I want to hire some people, 50 or 100 people for pennies a day to do vulnerability scanning on your networks, on your software, on your interfaces, or to compile data about your customers, your executives, your users, or your products, it becomes very easy. Yeah, I saw UL recently published some sort of like, I think there were five or six standards for like IoT devices. And I know that we've been working to get the security industry. For me, I will sort of wanted our devices not included necessarily in IoT, but I think that's a battle we've already lost as well. I think we're considered part of that. It definitely our camera systems, right? And so, you know, do you think that our industry will go there alone and try to get itself, get its cyber maturity and cyber hygiene for its products? You know, rated, get them better? Maybe not all the products, but give me some I can use for DoD and for critical infrastructure and things like that. Or do you think it's going to again, they're going to wait around for regulation to just push them into it? Well, here I think is the unique challenge on the security, the physical security side. As we talked about, you already have trust. You already have a good amount of trust with your customers, with the market space and the industries. And so when a security company goes and installs a surveillance system, there is a lot of trust and there's a lot of belief that they're doing it right. It works. It's secure. But the question is, is it really, is it really secure once they put it on the network? Or it's the data feed is going to a managed security service, right? Maybe, maybe not. So right now we're in this window of customers still trusting the physical security space because they've earned it. They've absolutely earned it. However, as we move into the next phase and there become potentially data breaches and all sorts of other problems, that trust may start a road and questions are going to start to arise. And it's only when the customers start demanding and saying, Hey, we want these features. Tell me that it's, tell me the security features. Tell me how it handles data. Tell me what certifications it has, what standards it meets. Only then is there really that economic incentive to go down that path. So I think there are going to be some security companies, physical security companies and product companies that are forward thinking that take the initiative in preparation for this. But I think that the vast majority given the margins within the physical security market are probably going to lag behind. And until there is that clear financial requirement from a competitive perspective, they're not going to be an early adopter. They're not going to move fast. Yeah, I'm hoping that, you know, in the DoD space, we've got this cyber security maturity model certification coming out in the supply chain this year. And that's more of an internal thing. But I'm hoping that that's a sort of a window at what they'll be doing with our products soon enough. You know, there's, it's finally, we're getting measured. We're finally going to be getting audited. And I think once that audit just gets extended a little bit to the products that we're installing, maybe the manufacturers will come in a flood. Because I know it's quite expensive to have these products certified. And we've seen a few now building trusted platform modules in. They've got certificates available for those that are trusted. So as much as there's problems with certificate trust these days as well, understand that. But there's, you know, there's, there's things happening. I hope it happens a little bit sooner anyway. You know, we're, we're down to about three, three minutes to go here. I want to get your final comments. We talked a little bit about trust. Talked about the billion. We talked about pervasive surveillance. Maybe take the, take the glasses off for the past. And let's look ahead at next, give me the next 24, 36 months. We will hold you to it. We'll get you back on to, to defend it in a year or so, whatever it takes. What do you, what do you think should be top of mind? Maybe one, two, three sort of for the physical security industry, the integrators, the manufacturers out there, and maybe even the public who is questioning us yet today or not. I don't know. Well, so the, the screenshot that we had there with it, with the top seven things, those are really about the future. And it's actually published out on help net security. So you can go out there and take a look at that. And, you know, out of all those things, you know, the artificial intelligence aspect, it's being heavily used, and it will continue to be heavily used in the security space and both the cyber and the physical and, you know, where they, they intersect. And we need to worry about the ethics. We need to worry about how it can be used by the bad guys. We are already seeing how it can be used by the good guys, right? And in tracking nefarious activities and understanding baselines to find bad practices. But the bad guys are also using it. And they tend to be the leader. They've been using it longer than the good guys have. And we're going to see some very innovative attacks. We're going to see innovative attacks that undermine trust, right? If you look at, for example, forgeries or deep fakes or, or things of that sort, I can forge the way you look. I could forge a video of you. I could forward your voice. I can even forge using AI, your writing style. So those kinds of things, right? And so when we look at credentials and we look at, at how physical security uses some of these tools and whether it's worth, you know, how it can positively and negatively impact, I think AI is going to be one of the big things that both the good guys and bad guys from a physical security perspective are going to be looking at. And the other thing will be the autonomous, you know, connected devices. And whether that's automobiles that drive you, whether that's drones that fly over your head, anything that's got control in manufacturing, you've got all these devices that are running and operating and so forth all by themselves and making decisions for themselves. They represent a risk. They represent a risk to security. They represent a risk to individuals, to, to our data and everything else. And I think it's going to change some of the concerns and some of the responses. So, for example, if you have an autonomous vehicle, no driver, right? And I wanted to create a physical security incident. I could load it with, well, let's be benign. Let's just say some flares or smoke bombs, right? Stink bombs, if you will, and have it drive automatically to my target. Sure. And then light it up. Yeah. Yeah. How does the security gate stop that vehicle, right? If, you know, if it's under control of somebody else, or it just pulls up and goes off, right? Right near the lobby. You know, there's little things like that, that we've normally had controls in place. If somebody pulled, you know, had to drive up themselves, they put, you know, the attacker put themselves at risk, they could be identified, they could be arrested, if they're doing graffiti or whatever. But autonomous vehicles takes that out of reach. Yeah. You know, a drone spraying graffiti on walls or a building. Who do you go after? Yeah. There's going to be a lot for us to learn in the coming years. Matthew, I really appreciate you being on today. It was fun. I hope you have a great holiday season. This is our last show of the year. We'll be back in January with security matters. So come back and join us. And Matthew, I hope to get you back on here for an update at some point. Absolutely. Would love to. Take care, man. Aloha. Aloha, everybody.